This disclosure relates generally to the field of network management and threat management systems. More specifically, the disclosure provided herein relates to strategies for identifying potential threats based on anomalous behaviors of endpoints.
Computers or other endpoints connected to a network, such as a local-area network (“LAN”), a wide-area network (“WAN”), or the Internet, may execute botnets or other malware programs that subject the network to malicious activity, such as sending spam messages, performing denial-of-service attacks, and the like. The botnets or other malware programs may be controlled by one or more centralized server endpoints also attached to the network. Traditional network administration systems may seek to identify and neutralize these threats on the network. For example, a threat management system (“TMS”) may be able to identify communication between one or more client endpoints on the network and a known, bad server endpoint, and flag these endpoints for investigation. In another example, the TMS may detect a recognized pattern of communication between endpoints corresponding to a known threat, and flag the endpoints accordingly.
However, these solutions require knowledge of known, bad endpoints and/or command and control structures of potential threats. Because more and more botnets and other malware are introduced to these networks over time, many bad server endpoints may not be known and the command and control structures may be constantly evolving.